Method and Apparatus for Topology Discovery Enabled Intrusion Detection

ABSTRACT

The present invention discloses the method and apparatus for topology discovery enabled intrusion detection. In information and communications technology (ICT) systems, end devices are organized into subnets that are communicated with the system center through the multi-service gateways. Any intrusion can incur the variations of the communications environments and the subnet topologies. The potential external intruding devices are detected by the varied communications environments and identified by the difference between the original and new subnet topologies constructed by the topology discovery method. The information of potential external intruding devices is sent to the system center for device authentication. If passed, the device is kept associated and the topology of the entire ICT system is updated with the newly discovered subnet topology. If failed, the device is enforced to disassociate, and an enhanced secure mode is triggered where the messages communicated over the intruded subnet are encrypted.

TECHNICAL FIELD

The present invention relates to a topology discovery enabled intrusiondetection method in hierarchical information and communicationstechnology (ICT) systems with networked end devices, where ahierarchical ICT system comprises layered networks, multi-servicegateways, and one or more system data and control centers.

TECHNICAL BACKGROUND

Network intrusion by external devices has become one of the mostcritical challenges on the security and privacy protection in complexICT systems consisting of hierarchical subnets. Each subnet maintainsits own access control and security provision, which features extremelylow intrusion detection capability. On the other hand, the ICT system isoften designed with additional security and authentication mechanismsand operated for supporting specific applications and goals, forinstance, smart buildings, intelligent transportation systems. Anexternal device could intrude a subnet first and then intrude the ICTsystem by eavesdropping the communications within the subnet and thedata exchange between the subnet and the ICT system data and controlcenter. The external intruding devices can perform attacks to the ICTsystems with severe consequences through messages spoofing, dropping,tampering, flooding, replaying, and eavesdropping. The malicious attackscan finally expose the private messages of the ICT systems to theadversaries. The malicious attacks can also drain the system resourceswith excess messages and mislead the systems with tampered messages.Therefore, the detection of external intruding devices at the subnets isof great importance in securing complex ICT networks, particularly dueto the proliferation of low-end Internet-of-Things (IoT) devices, whichare extremely susceptible to identification theft, spoofing, andimpersonation. Consequently, the present invention, topology discoveryenabled intrusion detection method, is critical for the hierarchical andcomplex ICT systems. By exploitation of the disclosed method, theexternal intruding devices can be detected and identified reliably andtimely when they gain unauthorized access to the ICT systems.

REFERENCES CITED

U.S. Patent Documents: a) U.S. Pat. No. 7,315,985 B1, January 2008,Francois Gauvin et al.; b) U.S. Pat. No. 9,407.507 B2, August 2016,Saiyiu Duncan Ho et al.; c) U.S. Pat. No. 8,984,113 B2, March 2015, HuiLi et al.; d) U.S. Pat. No. 7,996,556 B2, August 2011, KollivakkamRaghavan et al.

System Architecture and Components of Hierarchical ICT Systems

A typical hierarchical ICT system is shown in FIG. 1, whichcomprises: 1) subnet tier 103, which consists of subnets 106 organizedby networked end devices 107; 2) gateway tier 102, which is formed up bymulti-service gateways 105; 3) system center tier 101, which comprisesone or more ICT system data and control centers 104. Particularly, theend devices 107 are in low mobility, which rarely move after the initialdeployment stage of the ICT systems. The hierarchical ICT system in FIG.1 is a generalized system architecture, which can be used to representhomogeneous networks, heterogeneous networks, hybrid/mixedcommunications networks, computing systems, and vertical industryapplication systems.

In a hierarchical ICT system, the subnet tier 103 comprises severalsubnets 106, which are self-organized or manually organized by the enddevices 107 through wireless or wired connections. In addition to theirinherent communication capabilities, these end devices could haveadditional capabilities in supporting a wide variety of applications forsensing, controlling, and actuating purposes. An embodiment of thestructure of an end device 107 is illustrated in FIG. 2, which consistsof the following units: a sensor/actuator unit 201, a processor unit202, a communications unit 203, and a power unit 204.

In the sensor/actuator unit 201, the sensors 205 are responsible forsensing and collecting the information of the monitoring targets and/orenvironments. The selection of sensors 205 is determined by therequirements of applications. For example, temperature sensors, humiditysensors, and carbon dioxide titer sensors are among the most typicallyused sensors for forest fire monitoring. The actuators 206 areresponsible for reacting to the feedback from the system center. Theselection of actuators 206 is also determined by the requirements ofapplications. For example, fans and heaters are commonly used for anindoor temperature control system. In terms of the sensor/actuator unit201, the analog-to-digital converter (ADC) module 207 is optional, whichis used to convert the analog signals collected from analog sensors intodigital signals to match the digital ICT systems.

The processor unit 202 is built with a microprocessor or microcontroller208 and a memory 209, which is used to control and coordinate themultiple units in the end device 107 and conduct basic calculations.Memory 209 is used to store both fundamental system instructions and asmall amount of sensing data.

The specific type of communications interface 210 embedded in thecommunications unit 203 is determined by the communications protocoladopted by the end device and its belonging subnet according to thepractical demands. For a wireless end device 107, the communicationsunit 203 is the wireless RF module. The communications protocols adoptedby the communications interface 210 can be LTE, NB-IoT, Wi-Fi,Bluetooth, LoRa, ZigBee, etc. While for a wired end device 107, a wiredcommunications interface 210 would be built in the communications unit203, such as a USB interface, a JTAG interface, and an Ethernetinterface.

The multi-service gateways 105 are built with multiple communicationsinterfaces, which can directly communicate with both the end devices 107and the ICT system data and control center 104. As the intermediatelayer in the hierarchical ICT systems, the multi-service gateways 105have the following functions: 1) as a relay, uploading the messages fromend devices 107 to the ICT system data and control center 104 andforward the returning commands from the ICT system data and controlcenter 104 to the end devices 107; 2) as a coordinator, cooperating andcoordinating the connected subnets 106 and end devices 107; 3) as anexecutor, reacting to the control commands and instructions from the ICTsystem data and control center 104. Furthermore, the multi-servicegateways 105 can communicate with each other in a peer-to-peer way andform up the interconnected gateway tier 102.

ICT system data and control center 104 consists of one or multipleservers, which have strong capabilities of computation and storage. As adata center, it takes the responsibility of comprehensive data analyticsand massive data storage. As a control center, it is responsible formaking decisions based on the data analytics and sending controlcommands back to manage the multi-service gateways 105 or actuate theend devices 107 through the multi-service gateways 105. The ICT systemdata and control center 104 has a global view of the entire ICT system,which can be utilized for centralized device authentication. In theinitial deployment stage, all the multi-service gateways 105 and enddevices 107 involved in the ICT system are authenticated by the ICTsystem data and control center 104.

The term “topology” refers to the connectivity status among thenetworked devices including end devices and gateways. In a hierarchicalICT system in FIG. 1, system topology comprises the topology of thegateway tier 102 and the topologies of all the subnets 106. In theinitial deployment stage, the end devices 107 are organized into subnets106. Each subnet 106 is associated with a multi-service gateway 105. Thesystem topology is constructed at the ICT system data and control center104 by using the hierarchical topology discovery method, which is aprocess to find out the connectivity status among all the devices in thesystem.

Network intrusion by external devices in this disclosure refers to thesituation that certain devices that are not belonging to an ICT systemgain the network access to a subnet and associated resources andprivileges in an unauthorized way. Due to the openness and weak securityprotection at subnets, an intruding device can often easily gain accessto the subnets. By eavesdropping the communications within the subnetsand data exchange between the subnets and the ICT system data andcontrol center, such intruding device can even further intrude the ICTsystem. Since the activities conducted by the external intruding devicescan hardly be detected, predicted, and controlled by the subnets, theexternal intruding devices and the corresponding activities can lead toextremely high risks to the ICT systems on security and privacyprotection.

The external intruding devices can perform attacks to the ICT systemswith severe consequences through messages spoofing, dropping, tampering,flooding, replaying, and eavesdropping. More specifically, 1) spoofing:send forged messages to mislead the authenticated devices with fakeinformation; 2) dropping: knock off the communicated messages betweenauthenticated devices in the ICT systems; 3) tampering: monitor andmodify the messages in the middle of authorized communications; 4)flooding: send a massive amount of forged messages to drain the systemresources and block the authorized communications; 5) replaying:repeatedly send the messages obtained through eavesdropping to misleadthe devices with authorized messages; and 6) eavesdropping: illegallyhear and monitor the communicated messages between authenticated devicesin the ICT systems.

The malicious attacks conducted by the external intruding devices canfinally lead to the following potential security and privacyconsequences in the ICT systems: 1) private messages exposure incurredby illegally eavesdropping; 2) no reactions from authenticated devicesto authorized control commands due to message dropping; 3) misbehaviorsof authenticated devices led by forged or modified or repeated messages;4) system resource-draining due to message flooding.

In order to perform the network intrusion related attacks, an externalintruding device often has to join the ICT system through unauthorizedassociation with an authenticated device. As a consequence, the externalintruding devices would make an impact on the structure of the intrudedICT system and result in its topology variation. Therefore, based on thetopology variation incurred by the external device intrusion, theexternal intruding devices can be identified by the disclosed topologydiscovery enabled intrusion detection method.

BRIEF SUMMARY OF THE INVENTION

The current invention is on the topology discovery enabled intrusiondetection method for the hierarchical ICT systems, where the externalintruding devices are identified based on the difference between thenetwork topologies discovered before and after the intrusion occurs.Specifically, the external device intrusion can lead to variations inboth the physical communications environments and the system topology.If any variation on the physical communications environment in a certainsubnet 106 is detected by its connected multi-service gateway 105, a newround of subnet topology discovery is triggered, where the attributesused to detect the variation on the physical communications environmentsare determined by the wireless or wired communication protocols adoptedin the specific ICT systems. The potential external intruding devicesare then identified based on the variations between the originaltopology and the newly discovered topology. The information of theidentified potential external intruding devices is sent to the ICTsystem data and control center 104 for centralized deviceauthentication. If a potential external intruding device passes theauthentication, then the potential external intruding device is keptassociated with the ICT system. The system topology of the entire ICTsystem is updated with the newly discovered subnet topology. If apotential external intruding device fails to pass the authentication,then it is considered as an external intruding device, which is enforcedto disassociate with the system and an enhanced secure more istriggered. In the enhanced secure mode, all the messages communicated inthe intruded subnet are encrypted by the asymmetric cryptography.

BRIEF DESCRIPTION OF THE DRAWINGS

To make the present invention better understood, and the features andadvantages of the invention more apparent, a description of theaccompanying drawings will be given.

FIG. 1 is a system diagram illustrating a general three-tierhierarchical ICT system, which consists of a system center tier 101 witha centralized ICT system data and control center 104, a gateway tier 102with several distributed and interconnected multi-service gateways 105,and a subnet tier 103 with a massive amount of heterogeneous subnets 106that are organized by static end devices 107.

FIG. 2 is a block diagram illustrating the general structure of an enddevice 107 in the ICT systems, which comprises a sensor/actuator unit201, a processor unit 202, a communication unit 203, and a power unit204.

FIG. 3 is a flow diagram illustrating the example operations for theinvented topology discovery enabled intrusion detection mechanism.

FIG. 4 illustrates the example operations for the hierarchical topologydiscovery method.

FIG. 5 illustrates the example operations for the subnet topologydiscovery method.

FIG. 6 is an example sequence diagram for the external intruding deviceidentification method executed at the gateway.

FIG. 7 is a diagram illustrating an example case of a ZigBee subnet in asmart building system with two external intruding devices.

DETAILED DESCRIPTION OF THE INVENTION

In the initial deployment stage, end devices 107 are organized intosubnets 106. The way of subnet organization is determined by either awired or wireless communication protocol adopted. For example, in theZigBee protocol, a device indicates its existence by broadcasting beaconsignals, which comprise the device information. Any other devices withinthe wireless communication range can hear the beacon signals anddetermine whether to build the connection. If a device within the rangedetermines to connect with the beacon sender, it would send theconnection request to the beacon sender. If the beacon sender agrees toconnect, it would send back a connection response. After receiving theconnection response, the requester would send an acknowledgment. Thesetwo devices then build a wireless communication link and add each otherto the local neighbor tables. A local neighbor table is a list locallystored that consists of the directly connected devices. The ZigBeesubnets are finally formed up through the connected end devices.

A multi-service gateway 105 that passes the centralized authenticationat the ICT system data and control center 104 is assigned to a subnet106 for relaying the communications between the subnet and the ICTsystem data and control center 104. The end devices 107 in the subnetcommunicate with the corresponding multi-service gateway through singleor multiple hops. The multi-service gateways 105 are interconnected toform up the gateway tier 102 through either wireless or wired links. Theinformation of the end devices 107 is sent to the ICT system data andcontrol center 104 for centralized authentication through theirconnected multi-service gateways 105. Only the end devices 107 that passthe authentication can be kept in the ICT system. The authenticated enddevices 107 are assigned with a pair of public and private keys by theirconnected multi-service gateways 105 for encrypted communications in thesecure mode. The end devices 107 that fail to pass the authenticationare enforced to disassociate with the ICT system.

The term “topology” refers to the connectivity status among thenetworked devices including end devices and gateways in a system. Systemtopology of a hierarchical ICT system illustrated in FIG. 1 comprisesboth the topology of the gateway tier 102 and the topologies of all thesubnets 106 in the subnet tier 103. Topology discovery is the procedureof constructing the system topology at the ICT system data and controlcenter 104. At the ICT system data and control center 104, themulti-service gateways 105 are denoted as G=[g₁, g₂, . . . , g_(k)] andthe total number of gateways is k denoted as k=|G|. The n end devices107 are denoted as E=[e₁, e₂, . . . , e_(n)] and |E|=n. The systemtopology is represented by logical adjacency matrix C. Logical adjacencymatrix C is a binary matrix, where “1” indicates the existence of avalid communication link between two devices (either multi-servicegateways 105 or end devices 107) no matter whether they are wirelesslyor wired connected. By contrast, “0” indicates the disconnected status.For any two devices u and v,

$C_{u,v} = \left\{ \begin{matrix}{1,} & {{{if}\mspace{14mu} \left( {u,v} \right)\mspace{14mu} {exists}},} \\{0,} & {{otherwise}.}\end{matrix} \right.$

where (u, v) refers to the valid communication link between devices uand v.

Methodology of Topology Discovery Enabled Intrusion Detection

The methodology flowchart of the invented topology discovery enabledintrusion detection mechanism is demonstrated in FIG. 3. At block 301,the hierarchical topology initial discovery method is executed toconstruct the system topology at the ICT system data and control center104 after the initial deployment stage, where the system topology of ahierarchical ICT system comprises the topology of gateway tier 102 andthe topologies of all the subnets 106 in the subnet tier 103.

FIG. 4 is the flow diagram of the hierarchical topology initialdiscovery method. The multi-service gateways 105 report their localneighbor tables to the ICT system data and control center 104 at block401. At block 402, the ICT system data and control center 104 builds thetopology of the gateway tier 102 in the format of a logical adjacencymatrix C_(G) based on the connectivity information stated in the localneighbor tables.

At block 403, the subnet topology discovery method is executed at eachof the multi-service gateways 105 to build the topology of its connectedsubnets. The flow diagram of the subnet topology discovery method isillustrated in FIG. 5. At block 501, a multi-service gateway 105randomly selects one of its directly connected end devices 107 as thestarting device. The multi-service gateway 105 then generates a packetand forwards the packet to the starting device for informationcollection at block 502. At block 503, when the starting node receivesthe packet, it adds its device ID and local neighbor table to thepacket. One of the directly connected end devices 107 is randomlyselected as the next-hop device with the equal probability 1/d_(e) _(i)at block 504, where d_(e) _(i) is the number of directly connected enddevices of device e_(i), termed as device degree. At block 505, itdetermines whether the next-hop end device is the starting device. Ifthe next-hop end device is not the starting device, then it determineswhether the next-hop end device is hit for the first time at block 506by checking whether the device ID is already comprised in the payload ofthe packet. If the next-hop end device is hit for the first time, itsdevice ID and local neighbor table are added to the packet when thenext-hop end device receives the packet at block 507. Afterwards, thepacket is forwarded at block 504. If the next-hop end device is not hitfor the first time, then the packet is directly forwarded at block 504.At block 505, if the next-hop device is determined as the startingdevice, then the packet is reported to the multi-service gateway 105 bythe starting device at block 508. The multi-service gateway 105determines whether the process of subnet topology discovery isconvergent at block 509 by checking whether the number of hitting deviceis stable for half of the packet returning times. If the process ofsubnet topology discovery is not convergent, a new starting device isselected, and a new round of subnet topology discovery is triggered atblock 501. If convergent, the process of subnet topology discoveryterminates.

At block 404, a multi-service gateway 105 determines whether the processof subnet topology discovery terminates. If the process terminates, thesubnet topology is constructed at the gateway in the format of a logicaladjacency matrix based on the collected device IDs and neighbor tablesat block 405. The gateways then report the constructed subnet topologiesto the ICT system data and control center 104 at block 406. At block407, the system topology is finally formed up at the ICT system data andcontrol center 104 based on the topology of gateway tier 102 constructedat block 402 and the topologies of subnets received from themulti-service gateways 105 at block 406.

After the hierarchical topology initial discovery terminates, thephysical attributes of communications environments in the subnets 106are monitored by the multi-service gateways at block 302. The physicalattributes used are determined by the specific communication protocolsadopted in the subnets 106. For example, for wireless communicationsubnets, signal-to-interference-plus-noise ratio (SINR) is used, sincethe external device intrusion can incur variations on the communicationsinterference. For wired communication subnets, the number of messagescommunicated within a given period can be recorded to detect theintrusion, since external device intrusion can incur the frequencychange of the message communications.

At block 303, a multi-service gateway 105 determines whether anyattribute in its connected subnet is changed. If the variation of anyattribute is beyond a certain threshold, the subnet topology discoveryis triggered within the subnet at block 304 to construct the new logicaladjacency matrix, where the thresholds are determined by the practicalapplications and obtained through multiple times of testing in theinitial deployment stage.

The potential external intruding devices are identified by the potentialexternal intruding device identification method at block 305. Thelogical adjacency matrices of the original topology and the newlydiscovered topology of the subnet are denoted as C′_(sub) and C′_(sub).In the potential external intruding device identification method asillustrated in the flow diagram FIG. 6, the number of potential externalintruding devices in the subnet is determined by (n′−n) at block 601,where n′ and n are the dimensions of C′_(sub) and C_(sub) respectively.At block 602, the variations on communication links are discerned by theexclusive or between the original and newly discovered logical adjacencymatrices, XE=C′_(sub) ⊕ C_(sub). At block 603, the variations on devicedegree are recognized by cumulating the difference between the originaland newly discovered logical adjacency matrices, XV_(i)=Σ_(j=1)^(n′)(C′_(sub) _(i,j) −C_(sub) _(i,j) ). Finally, the devices with bothnon-zero values in the device degree variation vector XV andnon-registered IDs are identified as potential external intrudingdevices at block 604. The intrusion positions of potential externalintruding devices can be identified by the non-zero items in thecommunication link variation matrix XE at block 605.

At block 306, the multi-service gateway 105 reports the information ofpotential external intruding devices to the ICT system data and controlcenter 104 for centralized device authentication. At block 307, the ICTsystem data and control center 104 determines whether the potentialexternal intruding devices are true external intruding devices ortrusted devices. If a potential external intruding device passes theauthentication and labeled as a trusted device, the ICT system data andcontrol center 104 sends the authentication to the multi-service gateway105 to keep the device associated with the subnet, and the multi-servicegateway 105 uploads the newly discovered subnet topology to the ICTsystem data and control center 104 to update the system topology atblock 309. The multi-service gateway 105 continues to monitor thephysical attributes of communications environments in its connectedsubnet at block 301. If a potential external intruding device fails topass the authentication, the ICT system data and control center 104sends control commands and instructions to the multi-service gateway 105to enforce the disassociation of the true external intruding device andtrigger the enhanced secure mode.

In the enhanced secure mode, all the messages communicated over theintruded subnet are protected by the asymmetric cryptography. In theinitial deployment stage, all the end devices 107 in the subnet areassigned with a pair of public and private keys by the connectedmulti-service gateway 105. When the enhanced secure mode is triggered,the messages are encrypted by the sending devices with their privatekeys. The messages are decrypted at the receiving devices with thepublic key. The operations of encryption and decryption consume extrasystem resources. Thus, the enhanced secure mode is triggered only whenthe intrusion occurs, which sacrifices the system resources forsecurity. The multi-service gateway 105 continues to monitor thephysical attributes of the communications environments in its connectedsubnets at block 301.

Embodiment—Topology Discovery Enabled Intrusion Detection in the SmartBuilding Systems

In the smart building systems, wireless sensor nodes and wirelessactuator nodes are deployed in fixed locations of the buildings formonitoring and adjusting the indoor environments, including temperature,humidity, and illumination. These nodes access to the core networkthrough smart wireless gateways. Cloud computing platform supported bycloud servers is utilized as the remote system data and control center.Smart wireless gateways are connected to the cloud computing platformthrough cables.

Sensing and control data are communicated within the smart buildingsystems. External device intrusion can lead to the exposure of privateuser information and daily behaviors of residents in the buildings toadversaries. The malicious attackers can also utilize external deviceintrusion to forge and tamper control commands to mislead the actuatornodes in the buildings. Thus, the application of the topology discoveryenabled intrusion detection method can improve the security and privacyof the smart building systems.

In the initial deployment stage, only the authenticated devices aredeployed in a smart building system. The devices are self-organized intowireless sensor and actuator networks and connect to the smart wirelessgateways with the best link quality. These devices are assigned with apair of public and private keys by their connected smart wirelessgateways for encrypted communications in the enhanced secure mode. Thehierarchical topology discovery method is executed to construct thetopology of the smart building system in the cloud computing platform.

Since the wireless sensor nodes and wireless actuator nodes are deployedin fixed locations with low mobility, the wireless communicationenvironments tend to be stable. The smart wireless gateways keepmonitoring the attributes of the wireless communications environments,including signal-to-interference-plus-noise ratio (SINR), link qualityindicator (LQI), and channel frequency offset (CFO). If the variation ofany attribute is beyond a certain threshold, the subnet topologydiscovery method is triggered, where the thresholds are determined bythe practical applications and obtained through multiple times oftesting in the initial deployment stage.

After the completion of subnet topology discovery, the potentialexternal intruding devices can be identified by the potential externalintruding device identification method based on the original and newlydiscovered logical adjacency matrices. The smart wireless gatewayforwards the information of the identified potential external intrudingdevices to the cloud computing platform for centralized deviceauthentication.

If a potential external intruding device is identified as a trueexternal intruding device, the cloud computing platform would send acontrol command to the corresponding smart wireless gateway to enforcethe disassociation of the external intruding device and trigger theenhanced secure mode. In the enhanced secure mode, all the communicatedmessages are protected by the asymmetric cryptography. The messages areencrypted by the sending devices with their private keys. The messagesare decrypted at the receiving devices with the public key.

If an external intruding device is authenticated as a trusted device,the cloud computing platform would send a control command to the smartwireless gateway, comprising the content of keeping the deviceassociated with the system and sending a request for the newlydiscovered subnet topology. The smart wireless gateway reports the newsubnet topology to the cloud computing platform. In the cloud computingplatform, the topology of the entire system would be updated. Theupdated system topology is then multicast to all the smart wirelessgateways in the ICT system.

FIG. 7 illustrates an example case of a ZigBee subnet 703 in the smartbuilding system with two external intruding devices (IN1 713 and IN2714). In the ZigBee subnet 703, there are three temperature sensors (TS1705, TS2 704, and TS3 710), three humidity sensors (HS1 707, HS2 709,and HS3 711) and three illumination sensors (IS1 708, IS2 706, and IS3712). The ZigBee subnet 703 is connected to the cloud computing platform701 through the smart wireless gateway 702. The binary logical adjacencymatrix of the ZigBee subnet 703 is demonstrated in Table 1.

TABLE 1 Logical Adjacency Matrix of the ZigBee Subnet before IntrusionTS1 TS2 TS3 HS1 HS2 HS3 IS1 IS2 IS3 TS1 0 0 0 1 0 0 1 0 0 TS2 0 0 0 0 10 0 1 0 TS3 0 0 0 0 1 1 1 0 0 HS1 1 0 0 0 0 0 1 0 0 HS2 0 1 1 0 0 1 0 10 HS3 0 0 1 0 1 0 0 1 1 IS1 1 0 1 1 0 0 0 0 0 IS2 0 1 0 0 1 1 0 0 1 IS30 0 0 0 0 1 0 1 0

After the intrusion occurs, the newly discovered logical adjacencymatrix of the ZigBee subnet is illustrated in Table 2.

TABLE 2 Logical Adjacency Matrix of the ZigBee Subnet after IntrusionTS1 TS2 TS3 HS1 HS2 HS3 IS1 IS2 IS3 IN1 IN2 TS1 0 0 0 1 0 0 1 0 0 0 0TS2 0 0 0 0 1 0 0 1 0 0 0 TS3 0 0 0 0 1 1 1 0 0 0 0 HS1 1 0 0 0 0 0 1 00 0 1 HS2 0 1 1 0 0 1 0 1 0 0 0 HS3 0 0 1 0 1 0 0 1 1 0 0 IS1 1 0 1 1 00 0 0 0 1 1 IS2 0 1 0 0 1 1 0 0 1 1 0 IS3 0 0 0 0 0 1 0 1 0 0 0 IN1 0 00 0 0 0 1 1 0 0 0 IN2 0 0 0 1 0 0 1 0 0 0 0

The dimension of Table 1 is 9, while the dimension of Table 2 is 11. Thenumber of potential external intruding devices is determined by (n′−n),which is 2 and matches the ground truth. The variations on the devicedegree are determined by XV_(i)=Σ_(j=1) ^(n′)(C′_(sub) _(i,j) −C_(sub)_(i,j) ) and the result is shown in Table 3.

TABLE 3 Device Degree Variation Vector TS1 TS2 TS3 HS1 HS2 HS3 IS1 IS2IS3 IN1 IN2 0 0 0 1 0 0 1 1 1 2 2

The variations on the communication links are decided by XE=C′_(sub) ⊕C_(sub) and the result is given in Table 4.

TABLE 4 Communication Link Variation Matrix TS1 TS2 TS3 HS1 HS2 HS3 IS1IS2 IS3 IN1 IN2 TS1 0 0 0 0 0 0 0 0 0 0 0 TS2 0 0 0 0 0 0 0 0 0 0 0 TS30 0 0 0 0 0 0 0 0 0 0 HS1 0 0 0 0 0 0 0 0 0 0 1 HS2 0 0 0 0 0 0 0 0 0 00 HS3 0 0 0 0 0 0 0 0 0 0 0 IS1 0 0 0 0 0 0 0 0 0 0 1 IS2 0 0 0 0 0 0 00 0 1 0 IS3 0 0 0 0 0 0 0 0 0 1 0 IN1 0 0 0 0 0 0 0 1 1 0 0 IN2 0 0 0 10 0 1 0 0 0 0

The devices with the non-zero values and non-registered IDs in thedevice degree variation vector as indicated in Table 3 are identified asthe potential external intruding devices, namely, IN1 713 and IN2 714.The specific intrusion positions are identified by the non-zero items inthe communication link variation matrix as given in Table 4, whichindicates that IN1 713 is connected with IS2 706 and IS3 712 and IN2 714is connected with HS1 707 and IS1 708. The result matches the groundtruth as demonstrated in FIG. 7.

What is claimed is:
 1. A topology discovery enabled intrusion detectionmethod in a hierarchical information and communications technology (ICT)system consisting of a system center tier comprising one or more ICTsystem data and control centers, a gateway tier formed up byinterconnected multi-service gateways, and a subnet tier composed of oneor more subnets for supporting end devices comprises the steps of: a.With the coordination of the ICT system data and control center(s),executing the hierarchical topology initial discovery at each subnet andgateway network independently to construct the topology of the entireICT system at the ICT system data and control center(s); b. monitoringthe physical attributes of the communications environments in all thesubnets by the directly connected multi-service gateways; c. determiningwhether any of the physical attributes in a subnet is changed beyond thepredetermined threshold; d. triggering the subnet topology discoverymethod at the directly connected multi-service gateway when the changeof the physical attributes is beyond the predetermined thresholds; e.executing the potential external intruding device identification methodat each multi-service gateway based on the archived original subnettopology and the newly discovered subnet topology to identify allpotential external intruding devices, which causing subnet topologychanges and with access to the subnet; f. reporting the information ofpotential external intruding devices from the multi-service gateway tothe ICT system data and control center for centralized deviceauthentication; g. determining whether a potential external intrudingdevice is a true external intruding device by validating the ICT systemspecific security credentials; h. when a potential external intrudingdevice fails to present the required security credential, the ICT systemdata and control center sends control commands and instructions to thecorresponding multi-service gateway to enforce the disassociation of theexternal intruding device with the corresponding subnet and trigger theenhanced secure mode in the subnet; i. when a potential externalintruding device is authenticated by the ICT system data and controlcenter by necessary security credentials, the ICT system data andcontrol center sends control commands to the multi-service gateway tolabel the potential external intruding device as a trusted device andupdate the subnet topology at the multi-service gateway with the newlydiscovered version; j. reporting the updated subnet topology from themulti-service gateway to the ICT system data and control center; k.updating the topology of the entire ICT system at the ICT system dataand control center with the updated subnet topology uploaded from themulti-service gateway; l. multicasting the updated topology of theentire ICT system to all the multi-service gateways.
 2. The method ofclaim 1, wherein the system topology of an ICT system consists of thetopology of the gateway tier and the topologies of all the subnets inthe subnet tier.
 3. The method of claim 1, wherein an end device hasinherent communication capabilities, in addition to but not limited tofurther capabilities in supporting diverse applications for sensing,controlling, and actuating purposes.
 4. The method of claim 1, whereinthe ICT system consists of a hierarchical network architecture and thesupporting operational protocol. The ICT system is often designed withadditional security and authentication mechanisms and operated forsupporting specific applications and goals, for instance, smartbuildings, intelligent transportation systems.
 5. The method of claim 1,wherein the physical attributes refer to the characteristics of thecommunications environments. For instance, thesignal-to-interference-plus-noise ratio (SINR) for wirelesscommunications and the message density for wired communications.
 6. Themethod of claim 1, wherein the thresholds for evaluating the extent ofchange of physical attributes in a subnet are predetermined by thepractical applications and obtained through multiple times of testing inthe initial deployment stage.
 7. The method of claim 1, wherein thehierarchical topology initial discovery method comprises the steps of:a. multi-service gateways reporting their device IDs and local neighbortables to the ICT system data and control center; b. constructing thetopology of the gateway tier at the ICT system data and control centerbased on the device IDs and the connectivity status stated in the localneighbor tables; c. multi-service gateways triggering the subnettopology discovery process; d. determining whether the processes ofsubnet topology discovery are completed or not at the multi-servicegateways; e. upon the completion of subnet topology discovery,constructing the topologies of the subnets at the correspondingmulti-service gateways based on the collected device IDs and localneighbor tables; f. reporting the topologies of the subnets from themulti-service gateways to the ICT system data and control center; g.constructing the topology of the entire ICT system at the ICT systemdata and control center.
 8. The methods of claim 1 and claim 7, whereinthe subnet topology discovery method comprises the steps of: a. amulti-service gateway randomly selecting one of its connected deviceswithin its subnet as the starting device for topology discovery; b.generating a packet by the multi-service gateway and forwarding thepacket to the starting device in step a for information collection; c.when receives the packet, the starting device adds its device ID andlocal neighbor table to the payload of the packet; d. by randomlyselecting one of the devices directly connected to the current device asthe next-hop destination device, the current device forwards the packetto the destination device; e. determining whether the destination deviceis the starting device; f. if the destination device is not the startingdevice, determining whether the destination device is hit for the firsttime by checking whether the device ID is included in the payload of thepacket; g. if the destination device is hit for the first time, addingthe device ID and local neighbor table to the payload of the packet,thereafter repeating steps d-e; h. if the destination device is not hitfor the first time, just repeating steps d-e; i. if the destinationdevice is the starting device, then reporting the returned packet fromthe starting device to the multi-service gateway; j. determining whetherthe process of the subnet topology discovery converges at themulti-service gateway by checking whether the number of hitting deviceshas been stable for half of the packet returning times; k. if theprocess does not converge, repeating steps a-j; l. if the processconverges, terminating the method.
 9. The methods of claim 7 and claim8, wherein the local neighbor table is a list locally stored thatconsists of the directly connected devices.
 10. The method of claim 1,wherein the potential external intruding device identification methodcomprises the steps of: a. determining the number of potential externalintruding devices in the subnet by the difference between the dimensionsof the archived original and newly discovered logical adjacency matricesof the subnet topology at the multi-service gateway; b. determining thevariations of communication links incurred by the intrusion by theexclusive or calculation between the archived original and newlydiscovered logical adjacency matrices; c. determining the variations ofdevice degree by cumulating the difference between the archived originaland newly discovered logical adjacency matrices; d. identifying thepotential external intruding devices by the non-zero items withnon-registered IDs in the device degree variation vector; e. identifyingthe intrusion positions by the non-zero items in the communication linkvariation matrix.
 11. The method of claim 10, wherein the device degreeis the number of directly connected devices.
 12. The method of claim 1,wherein the enhanced secure mode refers to the situation that all themessages communicated over the intruded subnet are encrypted by theasymmetric cryptography.
 13. An embodiment of applying the topologydiscovery enabled intrusion detection mechanism into the smart buildingsystem consisting of a cloud computing platform as the system data andcontrol center, smart wireless gateways as the multi-service gateways,and wireless sensor and actuator devices as the static end devicescomprises the following steps: a. executing the hierarchical topologydiscovery method to construct the system topology of the smart buildingsystem in the cloud computing platform; b. monitoring the physical layerattributes of the subnets self-organized by the wireless sensor andactuator devices by the connected smart wireless gateways, includingsignal-to-interference-plus-noise ratio (SINR), link quality indicator(LQI), and channel frequency offset (CFO); c. determining whether any ofthe physical layer attributes in a subnet is changed beyond thepredetermined threshold obtained through the multiple times of testingin the initial deployment stage; d. if yes, triggering the subnettopology discovery method at the connected smart wireless gateway; e.executing the potential external intruding device identification methodat the smart wireless gateway based on the archived original and newlydiscovered logical adjacency matrices of the subnet topology to identifythe potential external intruding devices; f. reporting the informationof the potential external intruding devices from the smart wirelessgateway to the cloud computing platform for centralized deviceauthentication; g. determining whether a potential external intrudingdevice is a true external intruding device or a trusted device in thecloud computing platform; h. if the potential external intruding deviceis a true external intruding device, sending control commands from thecloud computing platform to the smart wireless gateway to enforce thedisassociation of the external intruding device with the smart buildingsystem and trigger the enhanced secure mode in the subnet to encrypt themessages communicated over the intruded subnet; i. if the externalintruding device is a trusted device, sending control commands from thecloud computing platform to the smart wireless gateway to keep thedevice associated with the smart building system and update the subnettopology at the smart wireless gateway with the newly discoveredversion; j. reporting the updated subnet topology from the smartwireless gateway to the cloud computing platform; k. updating the systemtopology of the entire smart building system in the cloud computingplatform with the subnet topology received from the smart wirelessgateway; l. multicasting the updated system topology of the entire smartbuilding system to all the smart wireless gateways.
 14. The embodimentof claim 13, wherein the system topology of the smart building systemcomprises the topology of the wireless mesh network formed up by thesmart wireless gateways and the topologies of all the subnetsself-organized by wireless sensor actuator devices.
 15. An embodiment ofapplying the topology discovery enabled intrusion detection mechanisminto an information and communication technology (ICT) system consistingof a hierarchical network architecture, embedded computing resources,and sensing/controlling and actuating devices in supporting diverseindustrial applications, including but not limited to smart buildingsystems, intelligent transportation systems, and Internet-of-Things. 16.An embodiment of applying the disclosed topology discovery method intohierarchical, homogeneous, heterogeneous, and hybrid information andcommunication technology (ICT) systems is for enabling intrusiondetection.